× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. August 2004

Re: Apache for SSL Proxy?

Yes, you can do it and you need one external IP per domain.

If you're using subdomains you can use one cert for all
subdomains if you get a wildcard certificate (ie
*.mydomain.com).

Brad

On Mon, 9 Aug 2004 07:50:20 -0500
 "Jones, John (US)" <John.Jones@xxxxxxxxxxxxxxxxxxxxxxx>
wrote:
> So, you can do it but you need multiple IP addresses.
>   Is that correct
> or am I missing something?
> 
> TIA,
> 
> John A. Jones
> Americas Security Officer
> Jones Lang LaSalle, Inc.
> V: +1-630-455-2787 F: +1-312-601-1782
> John.Jones@xxxxxxxxxxxxxxxxxxxxxxx
> 
> -----Original Message-----
> From: Brad Stone [mailto:brad@xxxxxxxxxxxx] 
> Sent: Sunday, August 08, 2004 4:32 PM
> To: Web Enabling the AS400 / iSeries
> Subject: Re: [WEB400] Apache for SSL Proxy?
> 
> After some research on this, I found that it isn't
> possible.
> 
> Because SSL wraps the entire HTTP request (including the
> host headers)
> you currently need to have one IP for each SSL site you
> are running.  If
> it's behind a firewall, that means one external, and one
> internal per
> SSL site that is using a seperate certificate.
> 
> Even a firewall that can route by host name won't work
> with
> 2 domains using different certs.  Subdomain sites and the
> use of a
> wildcard certificate shouldn't be an issue.  But that
> isn't the case for
> my query.
> 
> Because SSL wraps the HTTP request, the web server must
> decrypt the
> request before applying any host matching, such as with
> Virtual Hosts.
> So, as Apache puts it, it's a "chicken and egg" problem.
>  Which comes
> first.  So, Apache always will use the first certificate
> specified in
> the config to do any decrypting.
> 
> There is an RFC in the works to solve this issue, but I
> wouldn't expect
> it to be implemented anytime soon juding from the talk
> about it.
> 
> Anyhow, it does make sense.  I wasn't completley aware
> that SSL wrapped
> everying... I assumed the headers were available... guess
> not.  :)  
> 
> Hope this helps for anyone else that ever ventures down
> this road.
> 
> 
> This email is for the use of the intended recipient(s)
> only.  If you have received this email in error, please
> notify the sender immediately and then delete it.  If you
> are not the intended recipient, you must not keep, use,
> disclose, copy or distribute this email without the
> author's prior permission.  We have taken precautions to
> minimize the risk of transmitting software viruses, but
> we advise you to carry out your own virus checks on any
> attachment to this message.  We cannot accept liability
> for any loss or damage caused by software viruses.  The
> information contained in this communication may be
> confidential and may be subject to the attorney-client
> privilege. If you are the intended recipient and you do
> not wish to receive similar electronic messages from us
> in future then please respond to the sender to this
> effect.
> 
> _______________________________________________
> This is the Web Enabling the AS400 / iSeries (WEB400)
> mailing list
> To post a message email: WEB400@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/web400
> or email: WEB400-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the
> archives
> at http://archive.midrange.com/web400.
> 

Bradley V. Stone
BVS.Tools
www.bvstools.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.